search

spring-cloud / spring-cloud-netflix

Integration with Netflix OSS components
http://cloud.spring.io/spring-cloud-netflix/
Apache License 2.0
4.87k stars 2.44k forks source link

Zuul with ribbon routing unable to validate custom ssl certificates #1684

Closed atiwari54 closed 7 years ago

atiwari54 commented 7 years ago

In my application i want to search service with service id but my zuul is not connecting with eureka service, can any one help me out.

  1. when i hit http://localhost:8761/ then zuul is not showing there
  2. If i comment the serviceid and enable the url then it will run as per requirement

here is my application.yml for zuul

spring:
  application:
    name: ZUUL

server:
  port: 8090

ribbon:
  eureka:
    enabled: true

eureka:
  client:
    serviceUrl:
      defaultZone: http://localhost:8761/eureka/

zuul:
  routes:
    test:
      path: /**
      serviceId: main
#     url: http://localhost:9080
spencergibb commented 7 years ago

@atiwari54 unfortunately, we don't have enough information to help you. Please be more descriptive when opening issues. Include, versions, steps to reproduce and, possibly, a project that recreates the issue (not code pasted as comments).

Do you have @EnableDiscoveryClient? Do you have the eureka starter? Is zuul registered with eureka?

atiwari54 commented 7 years ago

@spencergibb, yes i have added @EnableDiscoveryClient in my zuul app. No zuul not getting register with eureka, all other microservice are getting register.

i am using

  1. spring 4.2.2.RELEASE version and spring-cloud-netflix 1.0.7.RELEASE version for ZUUL
  2. spring 4.2.2.RELEASE version and spring-cloud-netflix 1.2.3.RELEASE version for EUREKA and MAIN
atiwari54 commented 7 years ago

@spencergibb, after certain changes zuul get register with eureka but now it giving me 

com.netflix.zuul.exception.ZuulException: Forwarding error
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.forward(RibbonRoutingFilter.java:140)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.run(RibbonRoutingFilter.java:105)
    at com.netflix.zuul.ZuulFilter.runFilter(ZuulFilter.java:112)
    at com.netflix.zuul.FilterProcessor.processZuulFilter(FilterProcessor.java:197)
    at com.netflix.zuul.FilterProcessor.runFilters(FilterProcessor.java:161)
    at com.netflix.zuul.FilterProcessor.route(FilterProcessor.java:120)
    at com.netflix.zuul.ZuulRunner.route(ZuulRunner.java:84)
    at com.netflix.zuul.http.ZuulServlet.route(ZuulServlet.java:111)
    at com.netflix.zuul.http.ZuulServlet.service(ZuulServlet.java:77)
    at org.springframework.web.servlet.mvc.ServletWrappingController.handleRequestInternal(ServletWrappingController.java:158)
    at org.springframework.cloud.netflix.zuul.web.ZuulController.handleRequestInternal(ZuulController.java:43)
    at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:146)
    at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:50)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:965)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:856)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:841)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.boot.actuate.autoconfigure.EndpointWebMvcAutoConfiguration$ApplicationContextHeaderFilter.doFilterInternal(EndpointWebMvcAutoConfiguration.java:300)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:103)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:77)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: com.netflix.hystrix.exception.HystrixRuntimeException: mainRibbonCommand failed and no fallback available.
    at com.netflix.hystrix.AbstractCommand$16.call(AbstractCommand.java:807)
    at com.netflix.hystrix.AbstractCommand$16.call(AbstractCommand.java:794)
    at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$1.onError(OperatorOnErrorResumeNextViaFunction.java:77)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at com.netflix.hystrix.AbstractCommand$DeprecatedOnFallbackHookApplication$1.onError(AbstractCommand.java:1516)
    at com.netflix.hystrix.AbstractCommand$FallbackHookApplication$1.onError(AbstractCommand.java:1406)
    at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:314)
    at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:306)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$1.onError(OperatorOnErrorResumeNextViaFunction.java:78)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at com.netflix.hystrix.AbstractCommand$HystrixObservableTimeoutOperator$3.onError(AbstractCommand.java:1007)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at com.netflix.hystrix.AbstractCommand$DeprecatedOnRunHookApplication$1.onError(AbstractCommand.java:1475)
    at com.netflix.hystrix.AbstractCommand$ExecutionHookApplication$1.onError(AbstractCommand.java:1371)
    at com.netflix.hystrix.HystrixCommand$1.call(HystrixCommand.java:297)
    at com.netflix.hystrix.HystrixCommand$1.call(HystrixCommand.java:289)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at com.netflix.hystrix.AbstractCommand$1.call(AbstractCommand.java:398)
    at com.netflix.hystrix.AbstractCommand$1.call(AbstractCommand.java:377)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at com.netflix.hystrix.AbstractCommand$ObservableCommand$1.call(AbstractCommand.java:1135)
    at com.netflix.hystrix.AbstractCommand$ObservableCommand$1.call(AbstractCommand.java:1131)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.subscribe(Observable.java:7621)
    at rx.internal.operators.BlockingOperatorToFuture.toFuture(BlockingOperatorToFuture.java:57)
    at rx.observables.BlockingObservable.toFuture(BlockingObservable.java:410)
    at com.netflix.hystrix.HystrixCommand.queue(HystrixCommand.java:379)
    at com.netflix.hystrix.HystrixCommand.execute(HystrixCommand.java:335)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.forward(RibbonRoutingFilter.java:125)
    ... 59 common frames omitted
Caused by: com.netflix.client.ClientException: Number of retries on next server exceeded max 1 retries, while making a call for: CSCINDAE752860.asiapac.globalcsc.net:9080
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$4.call(LoadBalancerCommand.java:350)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$4.call(LoadBalancerCommand.java:345)
    at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$1.onError(OperatorOnErrorResumeNextViaFunction.java:77)
    at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber$1$1.onError(OperatorRetryWithPredicate.java:105)
    at rx.observers.SerializedObserver.onError(SerializedObserver.java:122)
    at rx.observers.SerializedSubscriber.onError(SerializedSubscriber.java:79)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onError(OperatorConcat.java:148)
    at rx.internal.operators.OperatorConcat$ConcatInnerSubscriber.onError(OperatorConcat.java:218)
    at rx.observers.SerializedObserver.onError(SerializedObserver.java:122)
    at rx.observers.SerializedSubscriber.onError(SerializedSubscriber.java:79)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onError(OperatorConcat.java:148)
    at rx.internal.operators.OperatorConcat$ConcatInnerSubscriber.onError(OperatorConcat.java:218)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.Observable$ThrowObservable$1.call(Observable.java:9415)
    at rx.Observable$ThrowObservable$1.call(Observable.java:9405)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.subscribeNext(OperatorConcat.java:177)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onNext(OperatorConcat.java:142)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onNext(OperatorConcat.java:78)
    at rx.internal.operators.OperatorMap$1.onNext(OperatorMap.java:55)
    at rx.internal.util.ScalarSynchronousObservable$1.call(ScalarSynchronousObservable.java:43)
    at rx.internal.util.ScalarSynchronousObservable$1.call(ScalarSynchronousObservable.java:32)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.subscribeNext(OperatorConcat.java:177)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onNext(OperatorConcat.java:142)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onNext(OperatorConcat.java:78)
    at rx.internal.operators.OperatorMap$1.onNext(OperatorMap.java:55)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:185)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:180)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber$1.call(OperatorRetryWithPredicate.java:120)
    at rx.schedulers.TrampolineScheduler$InnerCurrentThreadScheduler.enqueue(TrampolineScheduler.java:80)
    at rx.schedulers.TrampolineScheduler$InnerCurrentThreadScheduler.schedule(TrampolineScheduler.java:59)
    at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber.onNext(OperatorRetryWithPredicate.java:77)
    at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber.onNext(OperatorRetryWithPredicate.java:45)
    at rx.internal.util.ScalarSynchronousObservable$1.call(ScalarSynchronousObservable.java:43)
    at rx.internal.util.ScalarSynchronousObservable$1.call(ScalarSynchronousObservable.java:32)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.subscribe(Observable.java:7621)
    at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:442)
    at rx.observables.BlockingObservable.single(BlockingObservable.java:341)
    at com.netflix.client.AbstractLoadBalancerAwareClient.executeWithLoadBalancer(AbstractLoadBalancerAwareClient.java:102)
    at com.netflix.client.AbstractLoadBalancerAwareClient.executeWithLoadBalancer(AbstractLoadBalancerAwareClient.java:81)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonCommand.forward(RibbonCommand.java:132)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonCommand.run(RibbonCommand.java:106)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonCommand.run(RibbonCommand.java:1)
    at com.netflix.hystrix.HystrixCommand$1.call(HystrixCommand.java:294)
    ... 104 common frames omitted
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:184)
    at com.sun.jersey.api.client.Client.handle(Client.java:648)
    at com.sun.jersey.api.client.WebResource.handle(WebResource.java:680)
    at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
    at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
    at com.netflix.niws.client.http.RestClient.execute(RestClient.java:618)
    at com.netflix.niws.client.http.RestClient.execute(RestClient.java:527)
    at com.netflix.niws.client.http.RestClient.execute(RestClient.java:92)
    at com.netflix.client.AbstractLoadBalancerAwareClient$1.call(AbstractLoadBalancerAwareClient.java:109)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:303)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:287)
    ... 145 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
    at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:115)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
    at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:170)
    ... 155 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 173 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 179 common frames omitted
ryanjbaxter commented 7 years ago

Looks like the service Zuul is connecting to is using a certificate that is not trusted

Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at
atiwari54 commented 7 years ago

@ryanjbaxter, its self signed certificate and if i use "URL" instead of "serviceId" its working fine

ryanjbaxter commented 7 years ago

Using URL instead of serviceId takes two different code paths as you might imagine. The HTTP Client used will be configured differently. Do you have zuul.sslHostnameValidationEnabled=false in your properties? Actually could you post your application.properties (or yaml)?

atiwari54 commented 7 years ago

@ryanjbaxter, @spencergibb please find my source code here https://github.com/atiwari54/netflix

atiwari54 commented 7 years ago

in ZUUL, application.yml when you comment serviceId and enable url it will run

ryanjbaxter commented 7 years ago

Your projects are using an extremely old version of Spring Cloud Netflix. I suggest you try the latest Camden release, SR5, and leverage the Spring Cloud BOM in your POM files and try again.

atiwari54 commented 7 years ago

@ryanjbaxter I have update the code and checkedin but still m facing same certificate issue with service id, for URL its working

spencergibb commented 7 years ago

What have you done to make the certificate trusted?

atiwari54 commented 7 years ago

@spencergibb I used following command keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -ext SAN=DNS:localhost,IP:127.0.0.1 -validity 9999

spencergibb commented 7 years ago

And did you install that anywhere? Using it for SSL with boot, won't make it available to Java libraries.

atiwari54 commented 7 years ago

@spencergibb No i didnt install it bcz m using java8, so its not required to import in key tool. even if you comment the service id and enable the url in ZUUL it will work.

ryanjbaxter commented 7 years ago

So the reason it works when using a url and doesnt when using a serviceId is because we essentially configure the SSL TrustManager to accept all certs in SimpleHostRoutingFilter which handles routing URLs. (I am curious as to what setting zuul.sslHostnameValidationEnabled=false actually does since we aren't really validating the certificates anyways in SimpleHostRoutingFilter).

When you specify a serviceId we will use RibbonLoadBalancingHttpClient (by default) which does not configure any kind of TrustManager so certificates will be validated. If the cert is not trusted by the JVM then it will throw an exception.

IMO I think that we should actually be validating certs by default in SimpleHostRoutingFilter as well instead of not validating them. And then have a flag to disable it if need be that works regardless of how the request is being proxied.

spencergibb commented 7 years ago

with zuul & ribbon you can define your own Apache HttpClient with the options you want.

atiwari54 commented 7 years ago

@spenceegibb and @ryanjbaxter so now what should I have to do

  1. Should I import the certificate in jvm?
  2. Or I have to setup my http client?
spencergibb commented 7 years ago

Either approach works

atiwari54 commented 7 years ago

@spencergibb can you please provide me some help for the second approach.. how can I create my http client?

spencergibb commented 7 years ago

@atiwari54 have you tried to create a @Bean of HttpClient?

atiwari54 commented 7 years ago

@spencergibb i added following code in following order

  1. First in ZUUL but still get same error
  2. Remove from ZUUL and added in Eureka but result is same
  3. In both ZUUL and EUREKA but result is same

is there any issue in code ?

 @Bean
    public HttpClient httpClient() throws Exception {
        final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        if (resource.exists()) {
          InputStream inputStream = resource.getInputStream();

          try {
              if (inputStream != null) {
                  trustStore.load(inputStream, keyStorePassword.toCharArray());
              }
          } finally {
              if (inputStream != null) {
                  inputStream.close();
              }
          }
      } else {
          throw new RuntimeException("Cannot find resource: " + resource.getFilename());
      }

        SSLContext sslcontext = SSLContexts.custom().loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()).build();
        SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext, new String[]{"TLSv1"}, null, org.apache.http.conn.ssl.SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);//getDefaultHostnameVerifier()
        CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();

       return httpClient;
    }
ryanjbaxter commented 7 years ago

@atiwari54 a little bit of confusion here on what you need to do.

If you create a bean that extends RibbonLoadBalancingHttpClient (or OkHttpLoadBalancingClient depending on what Http Client you want to use) and then override the createDelegate method to customize the HttpClient you should be able to tell the client to not validate the certificate.

spencergibb commented 7 years ago

@atiwari54 yup, my bad. What I was thinking of was the feign http client.

AereXu commented 7 years ago

@atiwari54 Hello! Recently I'm working on using self-signed cert without importing to JVM. Can I express your question is that when you run zuul, you can't see it in Eureka Server? But you still want zuul to forward your request, then you met exception.
If that's your question, I can say it's caused by zuul can't get other Eureka clients infomations which is caused by your zuul rejecting the https due to self-signed cert.
All eureka clients(include zuul) are using a Discoveryclient which will only use default apache http client. To replace this client, your must supply a DiscoveryClient.DiscoveryClientOptionalArgs bean which has a custom EurekaJerseyClient. I asked a question and post the answer myself here. http://stackoverflow.com/questions/42289196/how-to-override-spring-cloud-eureka-default-discovery-client-default-ssl-context My method is not elegant but it do workes for me. Hope it could help you!

atiwari54 commented 7 years ago

@ryanjbaxter it will come with 1.3.0RC1 or 1.3.0RC2?

atiwari54 commented 7 years ago

@AereXu I can see ZUUL in my eureka but my request not forwarding to my ux app. and i got com.netflix.zuul.exception.ZuulException: Forwarding error following with com.netflix.client.ClientException: Load balancer does not have available server for client: UX

ryanjbaxter commented 7 years ago

@atiwari54 it is marked as an enhancement. It did not make it into 1.3.0.RC1 as that was released already this week. It might make it into the next release, it depends on timing and demand for the change.

aniruthmp commented 7 years ago

Hey, zuul.sslHostnameValidationEnabled=false worked for us when we had custom SSL certificates and noticed that zuul call was failing during SSL handshake. Thank you

spencergibb commented 7 years ago

@ryanjbaxter did #2026 fix this?

ryanjbaxter commented 7 years ago

Yes it should, I will close it.